External Authentication with Windows 2008R2 Server

with Remote Desktop Web Gateway

Authenticating Users Using SecurAccess Server by
SecurEnvoy
















Contact information
SecurEnvoy www.securenvoy.com 0845 2600010
1210 Parkvi ew
Arl i ngton Busi ness Park
Theal e
Readi ng
RG7 4TY

Andy Kemshal l akemshal l @securenvoy.com




2005 Sec urEnvoy Ltd. All rights reserved Page 2

Windows 2008R2 Server with Remote Desktop Web Gateway Integration Guide

This document describes how to integrate a Windows 2008 R2 Remote Desktop Web
(RDWeb) Gateway installed with SecurEnvoy two-factor Authentication solution called
SecurAccess.
Microsoft Windows 2008R2 Remote Desktop provides Web based Secure Application
Access to the internal corporate network.
Connections to Remote Desktop must be made from a browser and not directly from
a terminal server client.

SecurAccess provides two-factor, strong authentication for remote Access solutions
(such as Microsoft), without the complication of deploying hardware tokens or
smartcards.
Two-Factor authentication is provided by the use of (your PIN and your Phone to
receive the one time passcode)

SecurAccess is designed as an easy to deploy and use technology. It integrates
directly into Microsofts Active Directory and negates the need for additional User
Security databases. SecurAccess authentication server is directly integrated with
LDAP or Active Directory in real time.

SecurEnvoy Security Server can be configured in such a way that it can use the
existing Microsoft password. Utilising the Windows password as the PIN, allows the
User to enter their UserID, Windows password and One Time Passcode received
upon their mobile phone. This authentication request is passed via the SecurEnvoy
IIS Web Agent via the HTTP protocol (authentication packet is encrypted by AES
128bit) to the SecurEnvoy server where it carries out a Two-Factor authentication. It
provides a seemless login into the Windows 2008R2 Remote Desktop environment by
entering three pieces of information. SecurEnvoy utilises a web GUI for configuration,
whereas the Microsoft Windows Server environment uses a GUI application. All notes
within this integration guide refer to this type of approach.


The equipment used for the integration process is listed below:

Microsoft Windows Server 2008R2
Installed roles:
Remote Desktop Services

SecurEnvoy
SecurAccess Server software release v5.2.501
IIS Web Agent V5.3.501
Note
This document relates only to RDWeb access. If you want to authenticate
Remote Desktop Client connections as well you will need to install Windows
Login Agent on the Terminal Server hosts instead of this solution: see
http://www.securenvoy.com/integrationguides/Windows%20Login%20Agent.pdf
Note
You must use IIS Agent version 5.3.501 or higher
You must use Security Server version 5.2.500 or higher




2005 Sec urEnvoy Ltd. All rights reserved Page 3

Contents

1.0 Pre Requisites .......................................................................... 3
2.0 Configuration of Remote Desktop Gateway Server ......................... 3
2.1 Configure IIS to protect Rpc and RDWeb...................................... 3
2.2 RemoteApp Manager Configuration ............................................. 6
2.3 Setting Up Single Sign-On .......................................................... 7
3.0 Configuration of SecurEnvoy Server ............................................. 7
4.0 Test Logon .............................................................................. 8

1.0 Pre Requisites

It is assumed that Remote Desktop Services has been installed upon the relevant server(s).
An existing Domain user can authenticate using a windows user name and domain password
and access applications. All communications are over HTTPS (port 443) for client browser to
/RDWeb.


2.0 Configuration of Remote Desktop Gateway Server

2.1 Configure IIS to protect Rpc and RDWeb

a. Install SecurEnvoy IIS Web Agent v5.2.501 or higher on the remote desktop
gateway server that hosts the IIS virtual directory RDWeb
b. Start IIS Manager
c. Select Default web site under connections pane.
d. Select the SecurEnvoy Icon

Note
You must use SecurEnvoy IIS Agent version 5.3.501 or higher
You must use SecurEnvoy Security Server version 5.2.500 or higher




2005 Sec urEnvoy Ltd. All rights reserved Page 4




e. Select Enable Authentication On Default Web Site.



f. Apply changes
g. Select Rpc under Default Web Site
h. Select the SecurEnvoy Icon
i. Select the check box Enable Authentication On /Rpc




2005 Sec urEnvoy Ltd. All rights reserved Page 5



j. Cancel IIS Restart
k. Select RDWeb under Default Web Site
l. Select the SecurEnvoy Icon
m. Select the check box Enable Authentication On /RDWeb
n. Apply and Restart IIS
o. Navigate back to Default Web Site > RDWeb and select the Authentication icon
p. Disable Basic Authentication
q. Make sure that only Anonymous Authentication is Enabled



r. Check SecurEnvoyAuth is a member of the application pool RDWebAcess thi s
shoul d be the case i f you protected RDWeb l ast
Note
SecurEnvoyAuth MUST be a member of the RDWebAccess Application Pool




2005 Sec urEnvoy Ltd. All rights reserved Page 6

In the Navigation pane, select top level host name (the 2
nd
line down).
Scroll down the centre panel and press the SecurEnvoy Two Factor icon.
Setup your required inactivity timeout.
Add the logout URL logoff.aspx (enter logoff.aspx right of the Add button
and press Add)
Restart IIS when prompted.


2.2 RemoteApp Manager Configuration

a. Click Start > Administrative Tools >Remote Desktop Services >RemoteApp Manager.
b. In the Overview pane of RemoteApp Manager, next to RDP Settings, click Change.
c. On the Custom RDP Settings tab, type or copy the following RDP settings into the Custom
RDP settings box:

pre-authentication server address: s: https://<hostname>/rdweb
require pre-authentication:i:1

Note: <hostname> should be replaced with the external name of the RDWeb
server (i.e. The name that the browser will use).





2005 Sec urEnvoy Ltd. All rights reserved Page 7



e. When you have finished adding the settings, click Apply
2.3 Setting Up Single Sign-On

Change directory to C:\Program Files (x86)\SecurEnvoy\Microsoft IIS
Agent\SAMPLES\RemoteDesktop2008R2

Copy passcodeok.htm, auth.htm and accessdenied.htm ..\..\WEBAUTHTEMPLATE\

3 Configuration of SecurEnvoy Server
For single-signon to work the SecurEnvoy server must be configured to use LDAP password
as the PIN (This is the default)

Launch the SecurEnvoy admin interface, by executing the Local Security Server
Administration link on the SecurEnvoy Security Server.

Click Config

Select LDAP Password is the PIN under PIN Management (This is the default setting)

Click Update to confirm the changes




2005 Sec urEnvoy Ltd. All rights reserved Page 8



4.0 Test Logon
Open a browser and navigate to https://machine.domain.com/RDWeb



Enter Domain Username in the UserID field
Enter Domain Password in the Password field.
Enter SMS passcode (received upon mobile phone) in the Passcode field
Select your Security Option
Click Send
Once logged on will be single signed onto the RDWeb access page





2005 Sec urEnvoy Ltd. All rights reserved Page 9




Note
You will be prompted for a domain login when you access any application.